`giveLoan` will make the interest significantly bigger for the user
Summary
If pools giveLoan to each other, the accumulated fees for the user will be significantly bigger.
Vulnerability Details
When giving a loan to another pool, the principal of the original borrow increases by the thus-far accumulated fees. The problem is that after the loan is taken by another pool the interest accumulated thus-far also starts accumulating interest (basically compound interest).
A user can have two pools (from two different wallets) and someone taking a loan from either of them, the pool owner can just repeatedly giveLoan from one of the pools to the other to significantly increase their earnings.
A simple example would be as follows:
User A takes a borrow for 100 WETH at the equivalent of 10% interest per month for 2 months (expects to pay back 120 WETH)
1 month goes by and the original pool owner decides to give the loan to another pool with the same params. The new totalDebt is 100 * 1.1 = 110 WETH.
1 more month goes by and the user now wants to repay their loan. Calculating the repay amount would be as follows 110 * 1.1 = 121 WETH.
The user expected and should've repaid only 120 WETH, but because of giveLoan, they now have to repay 121 WETH.
Note: This is a oversimplified version. The more times giveLoan is repeated, the higher the repay amount will become.
Impact
User will be forced to pay much higher fees than what they initially expected by the terms of the loan.
Tools Used
Manual review
Recommendations
restructure the whole giveLoan function
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.